Learning to improve resiliency against cyberattacks
Will the US capitalize on its opportunity to stop data localization?
It has been six months since the U.S. Congress enacted the CLOUD Act, which authorizes the U.S. government to create executive agreements with foreign governments to enable law enforcement access to data across borders. Now, the U.S. State Department and Department of Justice are negotiating with close U.S. allies on what these bilateral agreements will look like and how they will be implemented.
However, while ensuring international law enforcement cooperation reflects the modern digital world, the U.S. government should not overlook the wider opportunity that the CLOUD Act presents in addressing a growing digital economy issue: digital protectionism. The U.S. government should use CLOUD Act agreements to push back on foreign practices that force U.S. firms to store data locally.
In today's digital world it is critical for law enforcement to have a mechanism to manage legitimate requests for data stored outside their jurisdiction. The CLOUD Act is designed to fix a major failure of the current mechanism for cross-border law enforcement investigations, called mutual legal assistance treaties (MLATs), which forces governments to go through a time-consuming bureaucratic process to access data stored abroad.
The MLAT process is bad for both foreign and domestic law enforcement. The U.S. government takes an average of 10 months to complete MLAT requests, leading to a massive backlog of foreign requests. This process often upsets allies who wanted little more than to investigate local crimes in which suspects happened to store data with U.S. providers. Similarly, U.S. investigations are often disrupted by lengthy and capricious responses to MLAT requests from the U.S. government. Some countries take years to respond to requests, while others, like Russia, often do not respond at all.
While not a silver bullet, the CLOUD Act addresses these concerns by allowing participating foreign governments to directly request access to data from U.S. providers if that data is associated with a foreigner located outside the United States and they adhere to safeguards for civil liberties. Likewise, these agreements would enable U.S. law enforcement to bypass the MLAT process to directly request communications stored with foreign providers.
The lack of effective cross-border law enforcement treaties has exacerbated another nefarious trend: data localization. A growing number of countries, across the political spectrum and stage of development, have created barriers to global trade by initiating data-residency requirements that confine data within a country's borders. While countries use several "justifications" for these barriers - such as misguided privacy and security concerns - one primary motivation is to enable surveillance and government access to data for law enforcement. If data is stored locally, the thinking goes, foreign governments will not be able to halt investigations by stopping providers from fulfilling government requests. And for authoritarian countries like China and Russia, data localization also facilitates surveillance for domestic political and social purposes.
Whatever the justification, data localization has a growing impact on today's increasingly data-driven global economy. While there is a general international consensus that data localization harms the digital economy and often fails to accomplish little more than incremental, short-term economic gains, countries continue to create these barriers each year. Localization barriers make it harder for domestic firms to use data from overseas operations, which prevents them from using the centralized IT and analytical platforms at the heart of data-driven innovation and trade. Localization barriers discriminate against U.S. firms that use foreign data services by forcing them to use or set up local services when they otherwise would not, creating duplicative costs for businesses.
In this scenario, India provides a good example as it has a history of misusing or ignoring the MLAT process. For example, after the Department of Justice advised an Indian prosecutor to fill out an MLAT in 2012 to obtain U.S.-stored information, the court instead issued a summons for several U.S. tech firms for not cooperating. India's frustration over its inability to access data stored abroad is a key driver for several recent data localization proposals. This situation makes India a prime candidate for a CLOUD Act-enabled agreement as it would assuage the country's access concerns and enable better law enforcement cooperation for legitimate data requests. However, the United States should only execute such an agreement if India agrees to remove data localization barriers. The case with India highlights the broader opportunity for the U.S. government to use the CLOUD Act as a lever against digital protectionist practices by insisting that countries eliminate data localization requirements as a condition of granting these executive agreements. By doing so, the United States could help build a new global norm regarding the importance of the free flow of data across borders.
The United States should start by pursuing CLOUD Act agreements with like-minded allies and partners, such as Australia, Canada, Japan, New Zealand, the United Kingdom, and the European Union. Doing so would send a clear signal that responsible countries can support both cross-border law enforcement and the critical role data plays in today's global economy.